FAQ 10/2014

How to configure Free

Radius Server
RUGGEDCOM WIN

http://support.automation.siemens.com/WW/view/en/103156513
 This entry is from the Siemens Industry Online Support. The general terms of use
(http://www.siemens.com/terms_of_use) apply.

Security Siemens provides products and solutions with industrial security functions that
informa- support the secure operation of plants, solutions, machines, equipment and/or
tion networks. They are important components in a holistic industrial security
concept. With this in mind, Siemens products and solutions undergo continuous
development. Siemens recommends strongly that you regularly check for
product updates.
For the secure operation of Siemens products and solutions, it is necessary to
take suitable preventive action (e.g. cell protection concept) and integrate each
component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information
about industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-
specific newsletter. For more information, visit
http://support.automation.siemens.com.

Table of Contents
1 Introduction ........................................................................................................ 3
Siemens AG 2014 All rights reserved

1.1 About This Document ........................................................................... 3

1.2 Related Documents .............................................................................. 3
1.3 Abbreviations & Acronyms ................................................................... 3
2 Free Radius Installation .................................................................................... 4
3 Free Radius Configuration ............................................................................... 5
3.1 Certificates download ........................................................................... 5
3.2 Files configuration ................................................................................ 5
3.2.1 Eap.conf ............................................................................................... 5
3.2.2 Clients.conf ........................................................................................... 6
3.2.3 Users file............................................................................................... 6
3.3 Server start ........................................................................................... 6
3.3.1 General ................................................................................................. 6
3.3.2 Logging ................................................................................................. 7
3.4 Possible problems and solutions .......................................................... 7

Free Radius Server Configuration

Entry-ID: 103156513, V 1.0, 10/2014 2
 1 Introduction

1 Introduction
1.1 About This Document
This document describes how to configure Free Radius server.

1.2 Related Documents

Table 1-1
# Doc Name Version Notes
1 IEEE 802.16e D8
2 WiMax Forum NWG
standard v1.3
3 RFC 2865 -
RADIUS

1.3 Abbreviations & Acronyms

Table 1-2
Abbreviation/ Description
Siemens AG 2014 All rights reserved

Acronym
RF Radio Frequency
CPE Subscriber station
BS Base Station
System RUGGEDCOM WIN BS and RUGGEDCOM WIN CPE
AAA server Authentication, Authorization and Accounting server
RADIUS Remote Authentication Dial In User Service. The protocol is in use
between various networking devices and AAA and is needed for
user authentication purposes.
X.509 Standard format for security certificates
NAI Network Access Identifier

Free Radius Server Configuration

Entry-ID: 103156513, V 1.0, 10/2014 3
 2 Free Radius Installation

2 Free Radius Installation

Free Radius server can be basically installed on any Linux OS distribution.
As we have tested it on Fedora 7 distribution, this is the distribution that we
recommend.
The supported version of Free Radius is 2.0.3 and its available on our FTP server.
Untar the file, point to the directory and take the following steps to build and install
the server:
1. $ ./configure
2. $ make
3. $ make install

The first time after installation, you should run the server as "root". This will cause
the server to create the certificates it needs for EAP. These certificates will be
further replaced by the relevant server certificates (see chapter 3.1).
After first run, the server can be run from an unprivileged user account.
Siemens AG 2014 All rights reserved

Free Radius Server Configuration

Entry-ID: 103156513, V 1.0, 10/2014 4
 3 Free Radius Configuration

3 Free Radius Configuration

Once the Free Radius is installed, the following steps shall be done in order to
make the server operational:
1. Download the certificates
2. Configure the eap.conf, clients.conf and the users file
3. Start the server in debugging mode.

All the relevant configuration files will be located in the raddb directory.
In Free Radius 2.0.3 the directory path is: /usr/local/etc/raddb
The certificates shall be located in the certs directory: /usr/local/etc/raddb/certs

3.1 Certificates download

The following X.509 certificates shall be downloaded to the certs directory:
1. CA root certificate cacert.pem
2. Server certificate servercert.pem
3. Server private key serverkey.pem
4. Random seed file random
Siemens AG 2014 All rights reserved

These files can be found on the FTP server.

Also, make sure the dh file is present and that its empty. To check that the file is
empty use the vi command.

3.2 Files configuration

3.2.1 Eap.conf

The following parameters shall be configured in the eap.conf file:

1. Default_eap_type = ttls
2. mschapv2 support
3. The path of the certificates under the tls sections in the file.
The relevant eap.conf file can be found on the FTP server.
Note that the certificate paths in the file are according to the default paths and
default certificate names.
If the certificate names or paths are changed, make sure you update the eap.conf
file accordingly.

Free Radius Server Configuration

Entry-ID: 103156513, V 1.0, 10/2014 5
 3 Free Radius Configuration

3.2.2 Clients.conf

Clients.conf file shall be configured with the expected radius client IP address and
secret.
Radius client IP and secret shall be according to the values configured in the BS (in
SA mode) or ASNGW (in ASN mode).
For example:
client localhost {
ipaddr = 192.168.101.11 // BS IP
netmask = 32
secret = Cisco // The password must be the same as configured in the BS.
}

Instead of defining client IP for every BS/ASNGW, it is possible to configure the

whole subnet. It is less secure, but more convenient:
client localhost {
ipaddr = 192.168.101.0 // class C subnet
netmask = 24
secret = Cisco // The password must be the same as configured in the BS.
Siemens AG 2014 All rights reserved

3.2.3 Users file

Users file includes users credentials.

In order to add a user to the users file, insert the line in the following format:
Username Cleartext-Password := password
Username shall be according to the inner NAI of the CPE, i.e. it can be either in the
name@domain.com format, or just a name (without the domain).
Another useful parameter for user is Session-Timeout [seconds]. This parameter
indicates how often this user performs re-authentication.
For example:
Session-Timeout = 65535.
Re-authentication time = 0.5 * Session-Timeout.
The example users file can be found on the FTP server as well.

3.3 Server start

3.3.1 General

In order to start the server in debug mode type: radiusd x

If timestamp is needed, type: radius xX
In order to start the server as a service (not debug mode) type: radius &

Free Radius Server Configuration

Entry-ID: 103156513, V 1.0, 10/2014 6
 3 Free Radius Configuration

To test that the FreeRadius is functioning correctly, use the local radclient that
simulates ASNGW Radius request. Issue the following command as an example:
[root@ raddb]# echo User-Name = username,Password=password |
/usr/bin/radclient localhost:1812 auth radclient_secret -x
Expected output:
Sending Access Request of id 133 to 127.0.0.1 port 1812
User-Name = username
Password = password
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=133, length=20

3.3.2 Logging

Access-Request messages are logged in this file:

/var/log/radius/redacct/192.168.101.11/auth-detail-xxxxxx (xxxxxx is the current
date, 192.168.101.11 is the RADIUS client IP address).

Access-Accept and Access-Reject messages (the most important ones!) are

logged in this file:
/var/log/radius/radacct/192.168.101.11/reply-detail-xxxxxx (xxxxxx is the current
date, 192.168.101.11 is the RADIUS client IP address).
Siemens AG 2014 All rights reserved

3.4 Possible problems and solutions

Table 3-1: Problems and solutions
Problem
During the radiusd start, the debug shows
that there is a permission error for certain
file (for example, eap.conf).
Debug log presents:
auth: Failed to validate the user.
Login incorrect:
Solution
Make sure there is a read/write permission
for the file. To change the permission use
chmod command.
Also, make sure the radiusd.conf file has
the following configuration of the user and
group:
user=root
group=root
Check the user credentials in the users file.
There is probably a credentials mismatch
between the CPE and AAA or the user is
not configured in the AAA.

Free Radius Server Configuration

Entry-ID: 103156513, V 1.0, 10/2014 7